Help

Configuration Profile - Incorect Gatekeeper Setting Applied?

dstranathan
Valued Contributor II

Posted on ‎04-21-2016 07:24 AM

I have a simple Configuration Profile which contains a single payload (Security & Privacy) to manage Apple's Gatekeeper settings. The setting has Gatekeeper disabled (AKA "Allow from Anywhere").

For the record, this configuration was created in the JSS (i.e.; not imported from another tool/app). This System Preferences setting has always been set to "Allow from Anywhere" (I havent toggled it in the past).

Most of my Macs show this profile setitng to be correctly installed/applied. However, a few managed Macs appear to be locked in the another state ("Mac App Store and identified developers"). The GUI setting grayed-out and therefore not modifiable by the user (as intended via JAMF).

One example Mac that is "stuck" with the wrong Gatekeeper settings is running OS X 10.11.4 (El Capitan)

JSS clearly indicates how it is supposed to be configured:
4e9444945f844ec888e8f417f54a196f

Have you ever seen this behavior before?

What's the best way to remedy this issue? Do I nuke & pave all Configuration Profiles on this specific Mac and let them get reapplied? Or can I triage this via JAMF commands/scripts?

Reply
3 REPLIES 3

jonnydford
Contributor II

Posted on ‎04-21-2016 07:34 AM

Might be Gatekeeper re-arming (which it'll do if it's not been used in 30 days)

To disable re-arm:

#!/bin/sh
# Disable Gatekeeper re-arm
sudo defaults write /Library/Preferences/com.apple.security GKAutoRearm -bool NO
Reply

dstranathan
Valued Contributor II

Posted on ‎04-21-2016 07:47 AM

Ahh. Wow. Not sure how I missed this one. I wasnt aware that GK could rearm itself.

Is there a way to obtain a Profile's Identifier from the JSS so I know which profile to nuke from a specific Mac?

Reply

FastGM3
Contributor

Posted on ‎05-04-2016 08:36 AM

@dstranathan I'm seeing the same results in my payload on "some" computers, and de-arming the gatekeeper "30 day re-arm" after the fact doesn't correct the problem.

I had to add the affected computer to the exclusion list to remove the profile, then Gatekeeper would go to the "Anywhere" setting and not be greyed out. After it returns to "Anywhere", I can remove the exclusion which then pushes the policy back out to the computer and the "Anywhere" setting sticks.

I'm finding the "Security & Privacy" payload is causing more problems than helping. It also messes up users ability to require password after sleep, or the ability to log out after inactivity. Even though I don't specify those settings in the payload, its greyed out on the users computer. Bug??

I'll probably go back to default write commands and script these settings unless there is a better fix out there.

Reply